[unisog] MS alg.exe listening on tcp

Bradley Ellis Bradley.Ellis at its.monash.edu.au
Sun Apr 9 23:45:08 GMT 2006


Hi John,

One thing you may wish to check is what address alg.exe is
"bound to" or "listening on".

Sometimes services that are intended for "local use only"
bind to the localhost address (127.0.0.1). They are
accessible from the local machine - e.g. telnet localhost <port>,
but they are not accessible from the network - as they aren't
listening on the ethernet address and are not forwarded to localhost.

E.g.: the NTP port in use by the Windows time service - would be
accessible from the local machine - but not the network.

C:\>netstat -abn

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  UDP    127.0.0.1:123          *:*                                    1212
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

Cheers,
Brad.
--
Bradley Ellis
Senior IT Security Officer, Infrastructure Services
Information Technology Services, Monash University - Clayton
Phone:  9905 1383

  

> -----Original Message-----
> From: unisog-bounces at lists.sans.org 
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of John York
> Sent: Saturday, 8 April 2006 5:20 AM
> To: unisog at lists.sans.org
> Subject: [unisog] MS alg.exe listening on tcp
> 
> 
> New XP sp2 images with current patches have alg.exe listening 
> on a TCP port, usually between 1024 and 2000.  Googling shows 
> that alg.exe is MS application level gateway, and is related 
> to windows firewall and internet connection sharing(1).  
> Another document says ALG "provides support for independent 
> software vendors (ISVs) to write protocol plug-ins that allow 
> their proprietary network protocols to pass through the 
> firewall and work behind ICS."(2)  OK.  When something is 
> using ALG, how do I know what that something is?  TCPview and 
> netstat -abn just show that alg.exe is using the port.  What 
> told ALG it needed that port?
> The doc in (2) also says only FTP has a plug-in that ships 
> with server 2003, no mention of anything for XP.  I did find 
> one link(3) that says Symantec may kick it off, and we have 
> Symantec AV.
> 
> The machines in question do not have ftp installed, and 
> internet connection sharing is disabled on the network 
> control panel.  When I try to connect to the port (windows 
> firewall off) using netcat or telnet, I receive an RST/ACK 
> for every SYN sent--not acting like an open port.
> Nmap doesn't show the port open either.  I don't think these 
> machines are infected, and that I'm seeing normal ops.
> 
> Anyway, alg.exe is spooky.  Does it really provide 
> passthrough for windows firewall?  If so, how do you tell 
> what's using it?  Why does the port show as listening to 
> TCPView and netstat, but I can't connect to it?
> 
> thanks
> John
> 
> (1)http://msdn.microsoft.com/library/default.asp?url=/library/
en-us/xpeh
> elp/html/xeconComponentizedWindowsServices.asp
> (2)http://www.microsoft.com/technet/prodtechnol/windowsserver2
> 003/techno
> logies/management/svrxpser_7.mspx
> (3)http://www.mcse.ms/message1238135.html
> 
> John York
> Network Engineer
> Blue Ridge Community College
> 1 College Lane, Weyers Cave, VA 24486
> 540.453.2255 
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 



More information about the unisog mailing list